Layer 7 API Management

Expand all | Collapse all

Pass-through auth via LDAP

Jump to Best Answer
  • 1.  Pass-through auth via LDAP

    Posted 09-13-2019 03:38 PM
    Edited by Petar Banicevic 09-14-2019 07:15 AM
    I want to set up LDAP pass-through:

    LDAP Client -> Gateway listener -> Policy -> Internal LDAP
    [----- SSL 1 -------------------------------][---- SSL 2 --------------------]

    I am exploring possibility:

    LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
    [----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

    But how to terminate and setup SSLs, can someone clarify steps need to be done ?
    ( content type application/octet worries me too (in raw listener and assertion tcp routing )).

    Is there more appropriate solution for LDAP pass thru ?


  • 2.  RE: Pass-through auth via LDAP
    Best Answer

    Posted 09-15-2019 07:46 PM
    Dear Petar,
    Usually we use an identity provider for authentication,
    1. create ldap identity provider,
    https://docops.ca.com/ca-api-gateway/9-4/en/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/creating-an-ldap-or-simple-ldap-identity-provider
    2. on your policy,
    require http basic credentials
    authenticate against xxx identity provider
    (xxx is the name of your ldap identity provider in step 1)

    Regards,
    Mark


  • 3.  RE: Pass-through auth via LDAP

    Posted 19 days ago
    Edited by Petar Banicevic 19 days ago
    Dear Mark

    I did what you have proposed but I am not sure it's solving my problem. Maybe we are talking about different scenario. To clarify:

    • My phone has settings in which I am supposed to enter LDAP server address, and phone talks with LDA"P" protocol. In my case that LDAP server will be the gateway itself that should check for LDAP injection, if no injection then pass thru the data to the internal LDAP server.

    In your last post you have proposed to making a simple LDAP connector which was easy... When you suggested doing a policy with basic auth and I got lost because policies are linked to HTTP listener (GET/POST/etc) while phone talks LDAP, it's not HTTP. That's why I asked if I should use RAW listener.

    Are we on the same page with this question ? 

    Thanks
    Peter

    PS - even worse is that phone is coming with LDAPS protocol, so gateway is the termination point, and before passing-thru to internal ldap, I need again to LDAPS.... but leave this part out for now.


  • 4.  RE: Pass-through auth via LDAP

    Posted 18 days ago
    In my opinion, it's not a good practice to let the client to query ldap directly.
    But if that's how it was designed, then the client should connect to the real ldap server.
    The gateway is not a ldap.

    If you want to hide the ldap server, then the client needs to be changed to use other authentication methods, such as oauth/http basic/client cert/etc. which supported by layer7 gateway.

    Regards,
    Mark